PonyFinal malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction to PonyFinal

PonyFinal ransomware appeared for the first time in 2020. It is malware that relies on human-operated attacks, i.e., attacks that exploit information security vulnerabilities of the targeted systems. Such vulnerabilities may include network weaknesses like bottlenecks and network disruptions. 

During the COVID-19 pandemic, the number of cyberattacks using human-operated ransomware increased significantly. Other types of human-operated ransomware include Maze, REvil (Sodinokibi), RobbinHood and NetWalker. 

Human-operated ransomware typically affects fewer computers than malware that propagates through phishing. This is because the former type of malware requires well-planned targeted attacks, while the latter type spreads automatically.

The purpose of this article is to examine the operation of PonyFinal and provide recommendations on how to avoid an infection with it. At the end of the article, we provide concluding remarks.

The operation of PonyFinal

PonyFinal is usually installed by conducting brute-force attacks that allow fraudsters to gain unauthorized access to an account on the targeted computer. We can define a brute-force attack as an attack that consists of submitting a large number of passwords with the aim of guessing the correct password.

Once the fraudsters compromise the targeted computer, they deploy:

  1. A Visual Basic script running a PowerShell reverse shell that has the capacity to steal local data
  2. A system that bypasses event logging

Next, the crooks gain unauthorized access to other computers within the compromised network. Afterwards, they proceed with the actual installation of PonyFinal.

PonyFinal is usually installed on workstations using the Java Runtime Environment (JRE). This is because the malware is written in Java. However, Microsoft observed cases where the JRE was installed by fraudsters in order to serve as a foundation for running the malware.

The malware starts encrypting the files of the infected computer shortly after it is executed. It adds (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Daniel Dimov. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)